Yesterday I had a test in a similar scenario. Windows 2025 fully up to date and VMware 8.0.2.
Setting the AvailableUpdates registry value to 0x5944 and running manually the Secure-Boot-Update scheduled task, after two run and two reboots I could see the DB updated with the new 2023 certificates. After these reboots I had AvailableUpdates=0x4004 and running the scheduled task again and rebooting the VM again did not change it anymore, the KEK could not be updated (I can see only event id 1801 in the registry, no other errors).
So I guess that if the VM finds the PK null, as is common in VMware environments today, the automatic process could not be completed (https://knowledge.broadcom.com/external/article/423893/secure-boot-certificate-expirations-and.html). PK and KEK must be updated manually as described in the Broadcom KB https://knowledge.broadcom.com/external/article/423919. Only after PK and KEK are up to date the automatic process can be completed and DB and Bootloader can be updated by the Microsoft scheduled task.